Blog #3: Privacy and Transparency Online: WG3 Blog Series

Blog #3: A people-centered standard for online transparency

This post by Ben Blink is the first in a series as part of the WG3’s effort to develop a multistakeholder definition of what corporate and government transparency means from the user perspective. The Group will be developing the definition and soliciting public input over the next few months.

Ben Blink is a member of the Freedom Online Coalition working group on privacy and transparency, and a graduate student at the Kennedy School of Government at Harvard University. From 2012 – 2015 he worked in public policy at Google, specializing in free expression and international relations.

It’s no surprise that governments issue legal requests to the telecommunications and Internet companies we use. These include lawful orders to turn over users’ private data, as well as orders telling the companies to restrict specific information on their services. The threats that these government requests can pose to freedom of expression and privacy arewell documented, and people are eager to understand what’s going on with their online data.

More than 60 companies have invested significant thought, energy, and resources into transparency reports that offer explanations of how they interact with law enforcement and national security officials. And some governments have reported varying degrees of information about the requests they issue to companies (see our working group’s 2015 report for details on a few of these efforts).

But current transparency reports are far from providing a full picture. It is still virtually impossible for citizens to confidently say that they have a sense of why, where, and how governments can access their data or restrict their communications.

That’s a problem. Transparency is the best hope citizens have to obtain the information they need to make informed choices about what Internet services they feel comfortable using, and when. So what does adequate transparency look like? Here’s a simple litmus test for companies and governments:

after reading your transparency reports, would citizens have a comprehensive understanding of how authorities can access their information and restrict their expression, and under what circumstances?

This includes an understanding of how governments interact with the information people share with companies directly (like emails, social media posts, and uploaded videos), as well as the data they generate (like browsing history and advertising cookies). If citizens can’t look at transparency reports and related tools and understand the full scope of government power to access or influence their data, the transparency tools fall short. Citizens would not have the information they need to make informed choices about what Internet services they feel safe using, and where they feel safe using them.

So how do we ensure that governments and companies can pass this people-centered litmus test? It’s hard to prescribe a uniform transparency format for every country or Internet service. No two governments look alike, and every service is different. But it’s helpful to define categories of information that transparency tools need to pass the test. For example, here are three general questions that any useful transparency tool must answer for citizens:

What laws can governments invoke to access my private information, or restrict my expression? Individuals need to know what laws are on the books that governments can use to compel Internet services to disclose their information or restrict their communication. National governments should compile the national, regional, and local laws that could compel ICT companies to share user data or restrict expression, and make them available in one place. Companies can do their part by sharing the list of laws that governments have cited when making legal requests. A useful transparency report needs to index all of the ways in which governments can access private information or restrict expression.

How are these laws applied in practice, and interpreted? Governments should provide plain language that explains the circumstances where the laws can be used to compel Internet and telecommunications companies to disclose data or restrict content. This is especially important if governments are citing laws that predate Internet technology. Companies should explain how they interpret specific laws, and the requirements they make of governments before complying. This should include how companies interpret jurisdiction, and which governments have legal authority to order access to user data, or restrict expression. This needs to include detailed descriptions of what safeguards are in place to protect users’ rights.

On what scale is this happening? The best way to help people understand the extent to which governments are issuing legal requests to companies is to publish the numbers. Governments should share how many legal requests they are making of companies, and the number of people the requests are targeting. Companies should share how many requests they are receiving, the purpose of each request, and the percent with which they comply. Smart people haveproposed more detailed metrics that would be valuable to users.

Answering these questions is hard, and making the information accessible to users is even harder. But companies and governments can’t celebrate their transparency efforts until citizens have all the information they need to make informed choices about how they share information online.